This fixes CVE-2018-18440 ("insufficient boundary checks in filesystem
image load") by using lmb to check the load size of a file against
reserved memory addresses.
Signed-off-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This particular commit is causing a regression on stih410-b2260 and
other platforms when reading from FAT16. Noting that I had rebased the
original fix from Thomas onto then-current master, there is also
question from Akashi-san if the change is still needed after other FAT
fixes that have gone in.
This reverts commit a68b0e11ea.
Reported-by: Patrice Chotard <patrice.chotard@st.com>
Cc: AKASHI Takahiro <takahiro.akashi@linaro.org>
Cc: Thomas RIENOESSL <thomas.rienoessl@bachmann.info>
Signed-off-by: Tom Rini <trini@konsulko.com>
The call to file_cbfs_fill_cache() is given with the parameter
'start' pointing to the offset by the CBFS base address, but
with the parameter 'size' that equals to the whole CBFS size.
During CBFS walking through, it checks files one by one and
after it pass over the end of the CBFS which is 4GiB boundary
it tries to check files from address 0 and so on, until the
overall size the codes checked hits to the given 'size'.
Fix this by passing 'start' pointing to the CBFS base address.
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
cbfs_fileheader.len indicates the content size of the file in the
cbfs, and it has nothing to do with cbfs_fileheader.offset which
is the starting address of the file in the cbfs.
Remove such check in file_cbfs_next_file(). Before this change
'cbfsinit' failed with 'Bad CBFS file'. After this change all cbfs
commands are working as expected.
Signed-off-by: Christian Gmeiner <christian.gmeiner@gmail.com>
[bmeng: keep the necessary header sanity check]
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
The long name apparently can be accumulated using multiple
13-byte slots. Unfortunately we never checked how many we
can actually fit in the buffer we are reading to.
Signed-off-by: Patrick Wildt <patrick@blueri.se>
The cluster size specifies how many sectors make up a cluster. A
cluster size of zero makes no sense, as it would mean that the
cluster is made up of no sectors. This will later lead into a
division by zero in sect_to_clust(), so better take care of that
early.
The MAX_CLUSTSIZE define can reduced using a define to make some
room in low-memory system. Unfortunately if the code reads a
filesystem with a bigger cluster size it will overflow the buffer.
Signed-off-by: Patrick Wildt <patrick@blueri.se>
As in the case of fs_set_blk_dev(), fs_set_blk_dev_with_part() should
maintain and update fs_dev_part whenever called.
Without this patch, a problem will come up when an efi binary associated
with efi's BOOTxxxx variable is invoked via "bootefi bootmgr".
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Signed-off-by: Alexander Graf <agraf@suse.de>
This fixes problems accessing drives formated under
Windows as FAT16.
Signed-off-by: Thomas RIENOESSL <thomas.rienoessl@bachmann.info>
[trini: Rebase on top of f528c140c8]
Signed-off-by: Tom Rini <trini@konsulko.com>
Add fs.c under SPL as well as it is needed for fs_loader
Signed-off-by: Keerthy <j-keerthy@ti.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
[trini: Add as obj-$(CONFIG_FS_LOADER) for non-SPL_FRAMEWORK builds]
Signed-off-by: Tom Rini <trini@konsulko.com>
Add local size_t variable to crypto_comp_decompress as intermediate
storage for destination length to avoid memory corruption and incorrect
results on 64 bit targets.
This is what linux does for the various lz compression implementations.
Signed-off-by: Paul Davey <paul.davey@alliedtelesis.co.nz>
Cc: Heiko Schocher <hs@denx.de>
Tested-by: Heiko Schocher <hs@denx.de>
As observed with clang:
fs/fat/fat_write.c:1024:13: warning: comparison of constant 128
with expression of type 'char' is always false
[-Wtautological-constant-out-of-range-compare]
if ((0x80 <= c) && (c <= 0xff))
~~~~ ^ ~
fs/fat/fat_write.c:1024:25: warning: comparison of constant 255
with expression of type 'char' is always true
[-Wtautological-constant-out-of-range-compare]
if ((0x80 <= c) && (c <= 0xff))
~ ^ ~~~~
Fixes: 25bb9dab14 ("fs: fat: check and normalize file name")
Signed-off-by: Tom Rini <trini@konsulko.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
When traversing slots in a btree (via btrfs_path) with btrfs_next_slot(),
we didn't correctly identify that the last slot in the leaf was reached
and we should jump to the next leaf.
This could lead to any kind of runtime errors or corruptions, like:
* file data not being read at all, or is read partially
* file is read but is corrupted
* (any) metadata being corrupted or not read at all, etc
The easiest way to reproduce this is to read a large enough file that
its EXTENT_DATA items don't fit into a single leaf.
Signed-off-by: Yevgeny Popovych <yevgenyp@pointgrab.com>
Cc: Marek Behun <marek.behun@nic.cz>
Tested-by: Marek Behún <marek.behun@nic.cz>
Avoid CoverityScan warning SIGN_EXTENSION by changing the type of
parameter size of set_cluster().
Avoid leaking stack content when writing an incomplete last sector.
Reported-by: Coverity (CID: 184096)
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Do not leak filename_copy in case of error.
Catch out of memory when calling strdup.
Reported-by: Coverity (CID: 184086)
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The btrfs implementation passes cache-unaligned buffers into the
block layer, which triggers cache alignment problems down in the
block device drivers. Align the buffers to prevent this.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Marek Behun <marek.behun@nic.cz>
The FAT driver supports unaligned reads and writes and EFI applications
will make use of these. So a misaligned buffer is only worth a debug
message.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
In this patch, unlink support is added to FAT file system.
A directory can be deleted only if it is empty.
In this implementation, only a directory entry for a short file name
will be removed. So entries for a long file name can and should be
reclaimed with fsck.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Signed-off-by: Alexander Graf <agraf@suse.de>
"unlink" interface is added to file operations.
This is a preparatory change as unlink support for FAT file system
will be added in next patch.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Signed-off-by: Alexander Graf <agraf@suse.de>
In this patch, mkdir support is added to FAT file system.
A newly created directory contains only "." and ".." entries.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Signed-off-by: Alexander Graf <agraf@suse.de>
The starting cluster number of directory is needed to initialize ".."
(parent directory) entry when creating a new directory.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Signed-off-by: Alexander Graf <agraf@suse.de>
"mkdir" interface is added to file operations.
This is a preparatory change as mkdir support for FAT file system
will be added in next patch.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Signed-off-by: Alexander Graf <agraf@suse.de>
In this patch, all the necessary code for allowing for a file offset
at write is implemented. What plays a major roll here is get_set_cluster(),
which, in contrast to its counterpart, set_cluster(), only operates on
already-allocated clusters, overwriting with data.
So, with a file offset specified, set_contents() seeks and writes data
with set_get_cluster() until the end of a file, and, once it reaches
there, continues writing with set_cluster() for the rest.
Please note that a file will be trimmed as a result of write operation if
write ends before reaching file's end. This is an intended behavior
in order to maintain compatibility with the current interface.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Signed-off-by: Alexander Graf <agraf@suse.de>
The current write implementation is quite simple: remove existing clusters
and then allocating new ones and filling them with data. This, inevitably,
enforces always writing from the beginning of a file.
As the first step to lift this restriction, fat_file_write() and
set_contents() are modified to accept an additional parameter, file offset
and further re-factored so that, in the next patch, all the necessary code
will be put into set_contents().
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Signed-off-by: Alexander Graf <agraf@suse.de>
In this patch, write implementation is overhauled and rewritten by
making full use of directory iterator. The obvious bonus is that we are
now able to write to a file with a directory path, like /A/B/C/FILE.
Please note that, as there is no notion of "current directory" on u-boot,
a file name specified must contain an absolute directory path. Otherwise,
"/" (root directory) is assumed.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Signed-off-by: Alexander Graf <agraf@suse.de>
It would be good that FAT write function return error code instead of
just returning -1 as fat_read_file() does.
This patch attempts to address this issue although it is 'best effort
(or estimate)' for now.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Signed-off-by: Alexander Graf <agraf@suse.de>
FAT file system's long file name support is a bit complicated and has some
restrictions on its naming. We should be careful about it especially for
write as it may easily end up with wrong file system.
normalize_longname() check for the rules and normalize a file name
if necessary. Please note, however, that this function is yet to be
extended to fully comply with the standard.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Signed-off-by: Alexander Graf <agraf@suse.de>
This reverts commit 0dc1bfb730.
The succeeding patch series will supersede it.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Signed-off-by: Alexander Graf <agraf@suse.de>
In my attempt to re-work write operation, it was revealed that iterator's
"clust" does not always point to a cluster to which a current directory
entry ("dent") belongs.
This patch assures that it is always true by adding "next_clust" which is
used solely for dereferencing a cluster chain.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Signed-off-by: Alexander Graf <agraf@suse.de>
FAT's root directory does not have "." nor ".."
So care must be taken when scanning root directory with fat_itr_resolve().
Without this patch, any file path starting with "." or ".." will not be
resolved at all.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Signed-off-by: Alexander Graf <agraf@suse.de>
get_fs_info() was introduced in major re-work of read operation by Rob.
We want to reuse this function in write operation by extending it with
additional members in fsdata structure.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Signed-off-by: Alexander Graf <agraf@suse.de>
I just stumbled over some cluttered UBIFS messages. It seems some
newline chars are missing in the current U-Boot UBI source.
Signed-off-by: Stefan Roese <sr@denx.de>
Cc: Heiko Schocher <hs@denx.de>
In int-ll64.h, we always use the following typedefs:
typedef unsigned int u32;
typedef unsigned long uintptr_t;
typedef unsigned long long u64;
This does not need to match to the compiler's <inttypes.h>.
Do not include it.
The use of PRI* makes the code super-ugly. You can simply use
"l" for printing uintptr_t, "ll" for u64, and no modifier for u32.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
In order to make the debug print in file_fat_read_at() a tad more useful,
show the offset the file is being read at alongside the filename.
Suggested-by: Tero Kristo <t-kristo@ti.com>
Signed-off-by: Andreas Dannenberg <dannenberg@ti.com>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
fs_fat_write() is not able to write to subdirectories.
Currently if a filepath with a leading slash is passed, the slash is
treated as part of the filename to be created in the root directory.
Strip leading (back-)slashes.
Check that the remaining filename does not contain any illegal characters
(<>:"/\|?*). This way we will throw an error when trying to write to a
subdirectory.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
The comparison
logical > item->logical + item->length
in btrfs_map_logical_to_physical is wrong and should be instead
logical >= item->logical + item->length
For example, if
item->logical = 4096
item->length = 4096
and we are looking for logical = 8192, it is not part of item (item is
[4096, 8191]). But the comparison is false and we think we have found
the correct item, although we should be searing in the right subtree.
This fixes some bugs I encountered.
Signed-off-by: Marek Behun <marek.behun@nic.cz>
By checking ubifs source code, s_instances parameter is not
used anymore. So, set this parameter and the associated source
code under __UBOOT__ compilation.
Signed-off-by: Christophe Kerello <christophe.kerello@st.com>
Signed-off-by: Patrice Chotard <patrice.chotard@st.com>
This is the case when reading freshly created filesystem.
The error message is like the following:
btrfs_read_superblock: No valid root_backup found!
Since the data from super_roots/root_backups is not actually used -
decided to rework btrfs_newest_root_backup() into
btrfs_check_super_roots() that will only check if super_roots
array is valid and correctly handle empty scenario.
As a result:
* btrfs_read_superblock() now only checks if super_roots array is valid;
the case when it is empty is considered OK.
* removed root_backup pointer from btrfs_info,
which would be NULL in case of empty super_roots.
* btrfs_read_superblock() verifies number of devices from the superblock
itself, not newest root_backup.
Signed-off-by: Yevgeny Popovych <yevgenyp@pointgrab.com>
Cc: Marek Behun <marek.behun@nic.cz>
Cc: Sergey Struzh <sergeys@pointgrab.com>
This causes errors when translating logical addresses to physical:
btrfs_map_logical_to_physical: Cannot map logical address <addr> to physical
btrfs_file_read: Error reading extent
The behavior of btrfs_map_logical_to_physical() is to stop traversing
CHUNK_TREE when it encounters first non-CHUNK_ITEM, which makes
only some portion of CHUNK_ITEMs being read.
Change it to skip over non-chunk items.
Signed-off-by: Yevgeny Popovych <yevgenyp@pointgrab.com>
Cc: Marek Behun <marek.behun@nic.cz>
Cc: Sergey Struzh <sergeys@pointgrab.com>
Reviewed-by: Marek Behun <marek.behun@nic.cz>
Add fs_get_type_name so we can get the current filesystem type.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Joe Hershberger <joe.hershberger@ni.com>
Found a crash while issuing ext4ls with a non-existent directory.
Crash test:
=> ext4ls mmc 0 1
** Can not find directory. **
data abort
pc : [<3fd7c2ec>] lr : [<3fd93ed8>]
reloc pc : [<26f142ec>] lr : [<26f2bed8>]
sp : 3f963338 ip : 3fdc3dc4 fp : 3fd6b370
r10: 00000004 r9 : 3f967ec0 r8 : 3f96db68
r7 : 3fdc99b4 r6 : 00000000 r5 : 3f96dc88 r4 : 3fdcbc8c
r3 : fffffffa r2 : 00000000 r1 : 3f96e0bc r0 : 00000002
Flags: nZCv IRQs off FIQs off Mode SVC_32
Resetting CPU ...
resetting ...
Tested on SAMA5D2_Xplained board (sama5d2_xplained_mmc_defconfig)
Looks like crash is introduced by commit:
"fa9ca8a" fs/ext4/ext4fs.c: Free dirnode in error path of ext4fs_ls
Issue is that dirnode is not initialized, and then freed if the call
to ext4_ls fails. ext4_ls will not change the value of dirnode in this case
thus we have a crash with data abort.
I added initialization and a check for dirname being NULL.
Fixes: "fa9ca8a" fs/ext4/ext4fs.c: Free dirnode in error path of ext4fs_ls
Cc: Stefan Brüns <stefan.bruens@rwth-aachen.de>
Cc: Tom Rini <trini@konsulko.com>
Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
This patch solves assert failed displayed in the console during a boot.
The root cause is that the ubifs_inode is not already allocated when
ubifs_printdir and ubifs_finddir functions are called.
Trace showing the issue:
feed 'boot.scr.uimg', ino 94, new f_pos 0x17b40ece
dent->ch.sqnum '7132', creat_sqnum 3886945402880
UBIFS assert failed in ubifs_finddir at 436
INODE ALLOCATION: creat_sqnum '7129'
Found U-Boot script /boot.scr.uimg
Signed-off-by: Christophe Kerello <christophe.kerello@st.com>
Signed-off-by: Patrice Chotard <patrice.chotard@st.com>
When U-Boot started using SPDX tags we were among the early adopters and
there weren't a lot of other examples to borrow from. So we picked the
area of the file that usually had a full license text and replaced it
with an appropriate SPDX-License-Identifier: entry. Since then, the
Linux Kernel has adopted SPDX tags and they place it as the very first
line in a file (except where shebangs are used, then it's second line)
and with slightly different comment styles than us.
In part due to community overlap, in part due to better tag visibility
and in part for other minor reasons, switch over to that style.
This commit changes all instances where we have a single declared
license in the tag as both the before and after are identical in tag
contents. There's also a few places where I found we did not have a tag
and have introduced one.
Signed-off-by: Tom Rini <trini@konsulko.com>
The mutex lock and unlock functions are stubbed out and mutex_is_locked
was 0. This caused asserts to fail in ubifs code when checking that the
mutex was locked. For example,
UBIFS assert failed in ubifs_change_lp at 540
UBIFS assert failed in ubifs_release_lprops at 278
Assume that the "mutex" is locked since that is the normal case when it
is checked in the ubifs code.
Signed-off-by: Bradley Bolen <bradleybolen@gmail.com>
Introduce another difference from upstream (kernel) source in
fs/ubifs/super.c: adding preprocessor condition as y variable in
mount_ubifs() depends on CONFIG_UBIFS_SILENCE_MSG:
fs/ubifs/super.c:1337:15: error: variable ?y? set but not used [-Werror=unused-but-set-variable]
long long x, y;
Not setting CONFIG_UBIFS_SILENCE_MSG in am335x_igep003x_defconfig and
igep0032_defconfig. Although it was defined in their config headers, it
depends on CMD_UBIFS which is not set for them.
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Cc: Joe Hershberger <joe.hershberger@ni.com>
Cc: Heiko Schocher <hs@denx.de>
Use of CONFIG_UBIFS_SILENCE_MSG was added in
147162dac6 ("ubi: ubifs: Turn off verbose prints")
Then it was removed in
ff94bc40af ("mtd, ubi, ubifs: resync with Linux-3.14")
Cc: Joe Hershberger <joe.hershberger@ni.com>
Cc: Heiko Schocher <hs@denx.de>
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>